Collect all codebase locations that need to consider DAP role-based permissions

Summary

This issue serves as a collection point for identifying all locations in the codebase that need to consider and use the new DAP (Duo Agent Platform) role-based permissions for agents and flows.

Background

As part of implementing the role-based permissions defined in #578270 (closed), we need to systematically identify and catalog all code locations that currently handle or will need to consider DAP role-based permissions for:

• Manage actions (Create, Duplicate, Edit, Delete)
• Run actions (executing agents/flows)

Related Issues

• Parent issue: #578270 (closed) - Permissions Model for GitLab Duo Automate (Agents & Flows)
• Related Epic: Agent Identity Epic #19478 (closed)

Permission Summaries

Summaries of existing execute permissions and related authorization checks for DAP features when accessed through the GitLab UI:

1. Flow Triggers
2. Agentic Chat
3. Built-in Flows

Note

These summaries are based on investigation and testing the DAP feature in the GitLab UI. IDE-based execution may follow similar flows, this requires further verification and is not covered in these summaries.

Summary for existing manage permissions:

1. Manage permissions

Areas to Investigate

Frontend Components

• Agent/Flow listing pages
• Agent/Flow creation forms
• Agent/Flow editing interfaces
• Agent/Flow execution triggers
• Automate menu visibility
• Flow trigger management UI
• Service account selection dropdowns

Backend Controllers/APIs

• Agent CRUD operations
• Flow CRUD operations
• Flow execution endpoints
• Service account management
• Project/Group automate settings
• GraphQL resolvers for DAP

Authorization/Policy Classes

• Agent policies
• Flow policies
• Service account policies
• Project/Group DAP policies
• Flow trigger policies

Database/Models

• Agent model permissions
• Flow model permissions
• Service account associations
• Project/Group DAP settings
• User role intersections

Configuration Files

• Feature flag configurations
• Route definitions
• Navigation menu configurations
• Role-based permission matrix definitions

Collection Format

For each location found, please add a comment with:

**Location**: `path/to/file.rb:line_number`
**Component**: [Frontend/Backend/Policy/Model/Config]
**Action**: [Manage/Run]
**Current Implementation**: Brief description of current logic
**Required Changes**: What needs to be updated to consider role-based permissions
**Priority**: [High/Medium/Low]

Search Patterns

Use these patterns to help identify relevant code locations:

• duo_agent, duo_workflow, agent_platform
• flow_trigger, service_account
• automate, DAP
• Permission checks: can?, allowed?, authorize!
• Role checks: maintainer?, developer?, owner?

Next Steps

1. Conduct systematic codebase search using patterns above
2. Document all findings in comments below
3. Categorize findings by priority and complexity
4. Create individual implementation issues for each area
5. Estimate effort for each change

Acceptance Criteria

• All current DAP role-based permission-related code locations are identified
• Each location is documented with required changes to consider role-based permissions
• Findings are prioritized and categorized
• Implementation issues are created for each major area